Isn't scallion dangerous when user generate 2-5 letters?

[ghost]

If you use scallion to generate tor key, this is a major security risk.
Other people can use the tool to generate a same key which you have.

UserA: scallion nsa
UserB: scallion nsa

This enables attackers to host un-official website using your .onion hostname,
and in the worse scenario, like 3-letter agent did, infect a visitor with a javascript virus.

It's a great thing to get a memorable .onion address, but keep in mind, this is seriously dangerous.

[smokeyrd]

Thats part of why you do longer names typically but its up to your users to
make sure the whole address is correct. I think its outside the scope of
this project to consider what amounts to lazy users but your concern on a
basic level is valid.
On Jan 10, 2014 7:41 PM, "anoooon" notifications@github.com wrote:

If you use scallion to generate tor key, this is a major security risk.
Other people can use the tool to generate a same key which you have.

UserA: scallion nsa
UserB: scallion nsa

This enables attackers to host un-official website using your .onion
hostname,
and in the worse scenario, like 3-letter agent did, infect a visitor with
a javascript virus.

It's a great thing to get a memorable .onion address, but keep in mind,
this is seriously dangerous.

—
Reply to this email directly or view it on GitHubhttps://github.com//issues/28
.

[lachesis]

Sure, this is known as the "fuzzy fingerprints" attack. Google should turn up plenty of references to those search terms, but the gist of the attack is that most people just check the first and last few characters of the fingerprint (.onion address, in this case) because they can't remember it all.

I think that it's outside the scope of scallion (or even Tor, from a development prospective) to worry about this. Users are responsible for checking the entire fingerprint.